CIS 5371 Cryptography
Home Assignment 3 –with answers
Due: At the beginning of the class on February 25, 2016
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography.
1. Let G be a pseudorandom generator where |G(s)| > 2|s|. Take s = s1 · · · sn , and for simplicity,
n even.
def
(a) Define G0 (s) = G(s0|s| ). Is G0 necessarily a pseudorandom generator?
Answer. Note that |G0 (s)| > 4|s|, and by repeating the process: |G00 (s)| > 8|s| for inputs
of type s0|s| 02|s| , and so on, eventually getting |G(n) (s)| > 2n+1 |s|: so output lengths that
are unbounded in terms of |s|.
So, not true. To prove this observe that although G is pseudorandom for random inputs
1
, the probability of an input of type s0|s| is
in {0, 1}2|s| , for which the probability is 22|s|
1
only 2|s|
. So inputs of this type are not random and therefore the output need not be
pseudorandom.
def
(b) Define G0 (s) = G(s1 · · · sn/2 ), where s = s1 · · · sn . Is G0 necessarily a pseudorandom
generator?
Answer. Yes. Let |G(s)| = |`(n) and
def
ε(n) = |Prr←{0,1}`(n) [D(r) = 1] − Prs←{0,1}n [D(G0 (s)) = 1]|,
for a probabilistic polynomial-time distinguisher D. By definition of G0 we have:
Prs←{0,1}n/2 [D(G0 (s)) = 1] = Prs←{0,1}n/2 [D(G(s1 · · · sn/2 · 0n/2 )) = 1],
and thus
|Prr←{0,1}`(n) [D(r) = 1] − Prs←{0,1}n/2 [D(G(s1 · · · sn/2 · 0n/2 )) = 1]| = ε(n) = ε0 (n/2),
def
where ε0 (n) = ε(2n). Since ε0 must be negligible, we conclude that ε is negligible.
2. Let G be a pseudorandom generator and define G0 (s) to be the output of G truncated to n bits
(where n = |s|). Prove that the function Fk (x) = G0 (k) ⊕ x is not pseudorandom.
Answer. Consider a distinguisher D that is given oracle access either to a function f that is
truly random, or Fk as defined above for a uniform choice of k. The distinguisher D queries
the oracle with (any) two distinct inputs x and x0 of length n, and gets the responses y and y 0 .
D then outputs 1 if and only if x ⊕ x0 = y ⊕ y 0 .
When D is given oracle access to Fk , we have that
y ⊕ y 0 = Fk (x) ⊕ Fk (x0 ) = G0 (k) ⊕ x ⊕ G0 (k) ⊕ x0 = x ⊕ x0 ,
regardless of the exact choice of k. In contrast, for a random function f , the probability that
y ⊕ y 0 = x ⊕ x0 is exactly 2−n . Therefore, Pr[Df (·) (1n ) = 1] = 2−n . So Pr[DFk (·) (1n ) =
1] − Pr[Df (·) (1n ) = 1] ≥ 1 − 21n .
3. Present a construction of a variable output-length pseudorandom generator from any pseudorandom function. Prove that your construction satisfies Definition 3.17.
Answer. Let F be a pseudorandom function mapping n-bit inputs to n-bit outputs. Define
Fk [`] to be the series Fk (0), Fk (1), . . . truncated to exactly ` bits (there are 2n possible inputs
to F and thus Fk [`] is well-defined for any ` ≤ 2n ). Define G(s, 1` ) = Fs [`]. Definition 3.17
requires that the ouput length of of G is `, which it is. Also ` < `0 implies that G(s, 1` ) is a
0
prefix of G(s, 1` ). It is easy to prove that G` is a pseudorandom generator for any polynomial
`, by a straightforward reduction to the pseudorandomness of F . Finally the expansion rate is
` since the output of G has length |s| · `.
Mike Burmester
1